Alpine: multiple wolfssl packages: security update to 5.6.6-r0

medium Tenable Cloud Security Plugin ID 427025

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing
Bleichenbacher style attack, when built with the following options to configure: --enable-all
CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is
not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since
3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to
static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to
decrypt ciphertexts and forge signatures after probing with a large number of test observations. However
the server’s private key is not exposed. (CVE-2023-6935)

- wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a
result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most
extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the
server containing first a ServerHello message and then the rest of the first server flight would be
accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL
client would accept an unencrypted flight from the server. This does not compromise key negotiation and
authentication so it is assigned a low severity rating. (CVE-2023-6937)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-6935

https://security.alpinelinux.org/vuln/CVE-2023-6937

Plugin Details

Severity: Medium

ID: 427025

Version: Revision 1.5

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-6935

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/9/2024

Reference Information

CVE: CVE-2023-6935, CVE-2023-6937